We have to conduct an annual GDPR audit. We've found it far easier to make adjusting the GDPR documentation part of the software development lifecycle than trying to perform an archeological treasure/turd hunt at audit time.
If an annual approach is taken, rather than continual, then the risk is that business priorities may be impacted by regulatory priorities. Imagine an annual audit occurring for an online retailer around Black Friday!
In terms of telemetry from apps my experience is that it is a bit of a mixed blessing. Production DB Servers don't have access to the internet. Ingres/egress are very tightly monitored and controlled.
When Macbooks crash they want to send the stack trace back to Apple. To do this you need an Apple Id. Corporate policy blocks the use of the Apple store so Apple get no benefit from this.
My experience with various other apps is that the send facility tends to be a bit flaky.